Stay organized with collections
Save and categorize content based on your preferences.
This page
applies to Apigee and Apigee hybrid.
This page provides an overview of using VPC Service Controls for API hub, covering service perimeter configuration, perimeter verification, and known limitations.
VPC Service Controls for API hub
API hub integrates with VPC Service Controls to provide enhanced network security for your API hub instance provisioned in Google Cloud.
VPC Service Controls enables you to establish a service perimeter around your API hub resources, constraining ingress and egress traffic. This perimeter helps to:
Limit unauthorised access: Control which Google Cloud services and VPC networks can access your API hub resources.
Prevent data exfiltration: Mitigate the risk of unauthorized download or export of API definitions, metadata, and other sensitive data stored within API hub.
Meet compliance requirements: Support your organization's compliance and regulatory obligations by enforcing strict access controls.
To configure VPC Service Controls, you can use the Google Cloud console, the gcloud tool, or the Access Context Manager APIs. Perform the following steps:
All Apigee runtime projects associated with an API hub instance must reside within the same VPC Service Controls service perimeter as the API hub host project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# VPC Service Controls for API hub\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\nThis page provides an overview of using VPC Service Controls for API hub, covering service perimeter configuration, perimeter verification, and known limitations.\n\nVPC Service Controls for API hub\n--------------------------------\n\n\nAPI hub integrates with VPC Service Controls to provide enhanced network security for your API hub instance provisioned in Google Cloud.\nVPC Service Controls enables you to establish a service perimeter around your API hub resources, constraining ingress and egress traffic. This perimeter helps to:\n\n- **Limit unauthorised access:** Control which Google Cloud services and VPC networks can access your API hub resources.\n- **Prevent data exfiltration:** Mitigate the risk of unauthorized download or export of API definitions, metadata, and other sensitive data stored within API hub.\n- **Meet compliance requirements:** Support your organization's compliance and regulatory obligations by enforcing strict access controls.\n\n\u003cbr /\u003e\n\nFor more information about VPC Service Controls, see the [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nBefore you begin\n----------------\n\n- Read about [configuring service perimeters](/vpc-service-controls/docs/service-perimeters).\n- Read about [management of VPC networks in service perimeters](/vpc-service-controls/docs/vpc-perimeters-management).\n- Ensure that you have the required IAM role permissions to configure service perimeters. See [VPC Service Controls access control with IAM](/vpc-service-controls/docs/access-control).\n\nConfigure VPC Service Controls for API hub\n------------------------------------------\n\n\nTo configure VPC Service Controls, you can use the Google Cloud console, the `gcloud` tool, or the [Access Context Manager APIs](/access-context-manager/docs/apis). Perform the following steps:\n\n1. Create an access policy for API hub. For more information, see [Create an access policy](/vpc-service-controls/docs/service-perimeters#create-access-policy).\n2. Create a service perimeter that includes the API hub (`apihub.googleapis.com`) service. For more information, see [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\nFor information about the other optional VPC Service Controls configurations, see [Service perimeter configuration stages](/vpc-service-controls/docs/service-perimeters#stages).\n\n\u003cbr /\u003e\n\nVerify service perimeters\n-------------------------\n\nVerify and list the service perimeters created for API hub using the following `gcloud` command: \n\n```\ngcloud access-context-manager perimeters describe PERIMETER_NAME. \n```\n\nFor more information about managing service perimeters, see [Managing service perimeters](/vpc-service-controls/docs/manage-service-perimeters).\n\nLimitations\n-----------\n\nAll Apigee runtime projects associated with an API hub instance must reside within the same VPC Service Controls service perimeter as the API hub host project."]]
